Posted by Sonata Ožemblauskaitė, Group Security and Compliance Manager
Over 20 billion data records were leaked in 2020 across 1,120 data breaches and cyber-attacks. That was a 50% increase in data breaches compared to 2019. COVID-19 related scams and the rapid move to working remotely have certainly caused a lot of issues when it came to security, but will these issues continue this year?
As per the World Economic Forum’s Global Risks Report 2021, cybersecurity risks continue to be high ranking among global risks:
This is not without reason. In January 2021, there were around 878 million records breached. 57% of IT decision-makers believe that remote workers will expose their firms to the risk of a data breach. An IBM study found that many employees were new to working from home and have not been provided with guidelines on how to securely handle customers’ personally identifiable information. Some of those findings:
Well, it may be understandable as companies had to rush at the time to these sudden work from home practices. However, a CBRE survey indicates that even after the pandemic, many employees will want to continue to work – at least some days – from home.
Remote working has exposed security gaps – unsecured home networks, use of BYOD (bring your own device), and siloed operations made previously visible threats on company’s networks become invisible, hidden on home networks. Your employees are your greatest security threat – through phishing, vishing, and ransomware – as it is easier to intercept or gain access to such unprotected home networks. Thus, as a company, you need to rethink how to approach your cybersecurity program to support this move otherwise, cybercriminals will continue to evolve and exploit your vulnerabilities of remote working.
What can you do to ensure your employees are secure?
Do you know what your current employees already know? Is your training covering the areas relevant to remote working? Do your employees know who to contact if the security breach happens? Do they know how to distinguish social engineering attacks?
Employees play an important part in “protecting” and “detecting” in your cybersecurity program. You need to provide appropriate cybersecurity training that ensures they understand how to protect your company. They also need to understand how to detect a potential threat and how to respond to it. You do not want your employees to hide things from you as they fear repercussions. Quite the opposite, you need to train them to know how to distinguish a threat and what to do. That would be your first line of defense.
This also applies to your company’s management. It is important that they understand the best security principles while working and managing teams from home as they are the ones who need to convey or reinforce cybersecurity knowledge to employees. Make security a “team sport” rather than confine it to one department.
Employees need a context to understand their role in security and how it impacts them and your company – real life scenarios and what they could do. Annual security awareness training without the current “remote working” context or potential impacts will be irrelevant to your employees. It is important to understand what your employees know and what are their cybersecurity knowledge gaps to make your training effective. How do you bring this context to your training program? How do you know which areas to cover in that training program?
Make it fun, present your employees with real life scenarios and consequences. Finding new resources or developing them could be quite costly and time consuming, thus Questionmark has addressed this issue by developing a “Cybersecurity for Home-based Workers” test.
The test presents a participant with real-life scenarios and issues that working from home has created. They allow you to assess the current level of knowledge and identify whether you have a problem. Such results would help you to inform any decisions on training and development to address those gaps.
When you do not understand the problem, any new training or alternative solutions may only create new problems. You cannot fix it if you don’t know what’s broken. Thus, I suggest take one step at the time. Use the test to identify a problem – cybersecurity knowledge gaps. Then, try to resolve it by covering those areas in your context specific training.
Why don’t you try our three questions test sample and see how you have done?
Sonata Ožemblauskaitė is the Group Security and Compliance Manager and Product Manager at Questionmark. She is CIPP/E certified and a member of the International Association for Privacy Professionals. Sonata has 4+ years’ experience in working in legal and security matters and has a LLM in International Law and BA in International Law and International Politics. She is part of the team that created the Cybersecurity for Home-based Works assessment along with other Questionmark ready-made assessments.